Just two months after taking office, in July 2017, Food and Drug Administration (FDA) Commissioner Scott Gottlieb announced the agency’s Digital Health Innovation Action Plan, which recognized that “digital technology has been driving a revolution in health care,” and outlined the agency’s “vision for fostering digital health innovation while continuing to protect and promote the public health.” In the 11 months since, FDA has devoted significant attention to meeting these goals, including in many ways reimagining FDA’s regulatory approach. FDA has made meaningful progress toward its stated goal of “assuring that all Americans, including patients, consumers and other health care customers have timely access to high-quality, safe and effective digital health products.” At the same time, it is clear that more change is in store, as FDA continues to evaluate and amend its approach to meet the demands of the rapidly evolving digital health space.

Digital Health Innovation

The past five years have seen an explosion in digital health innovation, with technologies emerging to encourage healthy lifestyles; facilitate disease prevention; enable early diagnosis; identify treatment options; support disease management; and assist health care professionals, patients and caregivers in a wide range of health care scenarios. These technologies promise better-informed decisions, new treatment options and more efficient health care services. They also involve new challenges relating to manufacturers and developers that have not previously been regulated by FDA, increased cybersecurity risks, interoperability demands, and products that are ill-suited to FDA’s traditional medical device regulatory paradigm given their rapid development times and frequent modifications.

New digital health technologies involve new challenges relating to manufacturers and developers that have not previously been regulated by FDA.

In late 2016, Congress took steps to address this disconnect in the 21st Century Cures Act, which exempted a number of types of medical software from the Food, Drug and Cosmetic Act’s definition of medical “device,” thereby eliminating FDA’s regulatory jurisdiction. The act also clarified that medical device accessories are to be regulated based on their own intended use rather than that of the device with which they are to be used. (FDA first took that position in a 2015 draft guidance, breaking from its historic position that device accessories were classified based on their parent device.) The 21st Century Cures Act thus reflected Congress’ effort to focus FDA’s regulatory oversight on riskier digital health technology while exempting products that might technically have met the statutory definition of medical device but presented lower risk.

FDA’s Response to Digital Health Regulation

FDA’s Center for Devices and Radiological Health (CDRH), the component responsible for regulating digital health devices including medical software, has embraced this congressional mandate. The digital health action plan recognized that “an efficient, risk-based approach to regulating digital health technology” was required, as “[t]raditional implementation of [FDA’s] premarket requirements may impede or delay patient access to critical evolutions of software technology, particularly those presenting a lower risk to patients.” The plan committed that, within the following year, FDA would (1) issue new guidance implementing the 21st Century Cures Act, (2) pilot a novel digital health software precertification (Pre-Cert) program that would exempt certain products from FDA premarket review and expedite the process of getting others to market, and (3) hire new staff for CDRH’s Digital Health Program.

FDA has made good on these commitments. In December 2017, FDA issued three draft guidance documents, which clarified changes to FDA’s regulatory approach in light of the 21st Century Cures Act, specifically addressed which types of clinical decision support and patient decision support software FDA would continue to regulate, and adopted the International Medical Device Regulators Forum approach to clinical evaluation of medical software. In late April 2018, FDA issued another draft guidance, this time clarifying its approach to products with both device and nondevice functions. In each of these guidance documents, FDA has conveyed its desire to focus its regulatory oversight on higher-risk devices by identifying substantial categories of products over which it has jurisdiction but for which it does not intend to enforce its regulatory requirements.

FDA also has made significant strides toward implementing its digital health software Pre-Cert program, which it has analogized to “TSA precheck for medical software.” FDA announced the creation of the Pre-Cert program when it unveiled its digital health action plan. In September 2017, FDA announced the nine companies it had selected to participate in the Pre-Cert pilot program, which included both traditionally FDA-regulated companies such as Roche and Johnson & Johnson, as well as others like Apple and Fitbit. In April 2018, FDA published its working model for the Pre-Cert program, which described its vision for “a more streamlined and efficient regulatory oversight of software-based medical devices from manufacturers who have demonstrated a robust culture of quality and organizational excellence ... and who are committed to monitoring real world performance,” and solicited stakeholder input on specific questions. The feedback FDA receives will shape its next steps in the Pre-Cert program. This request — and FDA comments regarding other rapidly evolving areas of digital health innovation, such as real world evidence generation and use — reflects the agency’s clear recognition that industry input is critical to fostering innovation and advancement in the digital health space.

Other Key Considerations

While FDA may play the most meaningful role in the ongoing evolution of the digital health space, other federal agencies also have oversight over certain aspects of digital health products, including those that will not be regulated as medical devices. For example, the Department of Health and Human Services Office for Civil Rights has published its “Health App Use Scenarios & HIPAA,” which offers guidance on when the Health Information Portability and Accountability Act (HIPAA) applies to mobile health app developers. In instances where HIPAA does not apply, the Federal Trade Commission (FTC) has made clear that it will exercise its general jurisdiction over the privacy and security of apps and software, and has issued best practices regarding data privacy and security for mobile health app developers. The FTC also has jurisdiction over the advertising of unrestricted medical devices (generally, those that are available without a prescription) and thus may play a role in evaluating the truthfulness and substantiation of marketing claims about digital health products. Thus, in addition to staying abreast of FDA developments, companies operating in or considering getting into the digital health space also should be cognizant of other potential regulators.

This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.